Post on 28-Dec-2015
transcript
Data Protection and Computer Misuse Act material
Modified by Eric from Mary’s slides
Ethical issues
2
Some computer databases hold a lot of personal details Personal data needs to be protected Unethical to misuse personal data
Some computer systems hold sensitive information Security arrangements allow authorised access only Unethical to misuse or break into secure systems
Legislation in place to make unethical use of computers also unlawful
Data Protection Acts
3
Legal protection for personal data
How many organisations hold information about you? Think about a few Share some examples
Data held about us
4
These organisations hold information about us: College Loan company Bank Mobile phone provider Library Local council DVLA Insurance company DHSS
A typical adult may be listed in 200 computer systems
Holding inaccurate data may result in problems
Data Protection Act 1984 Updated 2000 Act updated 1999 - came into effect spring
2000 new Data Protection Principles
Passed to implement theEuropean Data Protection Directive
includes some manual/paper records for the first time
extra rights for data subjects exemptions include
preventing or detecting crime catching or prosecuting offenders assessing or collecting tax or duty
Data Protection - key definitions (1)
6
Personal data: Any data or information about an individual stored in
computers by companies or organisations Living individuals Includes expressions of opinion about the individual
Data subject: Legal term referring to the individual whose data is
held
Data Protection - key definitions (2)
7
Data controller: Person with defined responsibility for data protection
within a company Could be a single person or a group of people Ensures that recorded data complies with the Act Holds detailed register of data to be held in the company
Information Commissioner: Official who supervises enforcement of Data Protection
Act Issues guidance Publishes views for example on retention of DNA profiles Takes action in breaches of Data Protection Act
Data Protection - eight principles
8
Data protection framed within 8 principles1. Obtained and processed fairly and lawfully2. Processed for specific purposes3. Adequate, relevant and not excessive to processing
purpose4. Accurate and up to date5. Not kept for longer than necessary6. Processed in accordance with data subject rights7. Secure8. Not transferred outside EEA without assurance of
protection Look at each in turn…
Principle 1
9
Data must be obtained and processed fairly and lawfully Obtained fairly from data subject Subject must be aware of what data is being
collected and how it will be used Example of breach:
Company employs a private detective to find out about a prospective senior employee and puts the information on the recruitment system
Principle 2
10
Data must be processed for specific purposes Cannot be used for another purpose unknown to
subject Cannot be collected for provision of a service and
then also used for another purpose without subject’s consent
Example of breach: Someone wishing to start a new club borrows a list of
his company’s customers as prospective members and also looks at other personal details to decide if they would be suitable club members
Principle 3
11
Data must be adequate, relevant and not excessive to processing purpose Cannot request more data than is needed for the
task at hand Very tempting to collect data for a future purpose -
but not legal Example of breach:
Marketing department sends questionnaires to customers, asking for age, gender, ethnic background, quantity and brands of foods they buy, hobbies, date and place of birth
Demographics and shopping habits fine for the purpose but hobbies and birth details are excessive
Principle 4
12
Data must be accurate and up to date Data controller under obligation to ensure accuracy If subject provides inaccurate data despite controller’s
attempts at accuracy then principle not breached Data controller responsible for verifying accuracy Good way is to periodically request confirmation or update
Example of breach: Customer unemployed when first taking out life insurance Subsequently found job and told the insurance company Insurance company failed to update records Customer later denied mortgage when insurance company
told credit reference agency customer unemployed
Principle 5
13
Data must not be kept for longer than necessary Destroy data when it is finished with Can be done automatically by software Can be prompted by computer system
Example of breach: Magazine publisher sends magazines to subscribers When subscription cancelled or not renewed,
company keeps data about previous subscriber and keeps sending magazines
Principle 6
14
Data must be processed in accordance with data subject rights Data subjects have access rights that must be
upheld Failure to comply with requests from Information
Commissioner also breach this principle Example of breach:
An employee asks to see the data held on her by the company but she is told that it is confidential and she is not allowed to see it
Principle 7
15
Data must be kept secure at all times Data controllers must apply appropriate security
measures Prevent internal and external access by unauthorised
users Hardware: card access to rooms, firewalls, CCTV etc Software: passwords, virus scanners, etc Organisational: internal audit, division of duties, dual
control of cash Example of breach:
When travelling to a meeting in another town, an employee accidentally leaves a file of insurance claims on the train
Principle 8
16
Data must not be transferred outside EEA without assurance of adequate protection No restriction of movement within European
Economic Area Restricted data movement to countries without
equivalent data protection Agreed on a country-by-country basis Within UK, European Commission decides what data
can be transferred where Example of breach:
A company sets up a new customer contact centre in a country that has no data protection legislation and sends all its customer files to that country
Applying data protection
17
There are steps to take to ensure compliance: Audit the information held in the organisation Apply each of the 8 principles to all collection,
storage and use of personal data Collect, record, store and process current and future
data in accordance with the rights of data subjects
Computer Misuse Act Legal protection for secure computer
systems Intended to reduce online criminal activity
Hacking into systems Changing information in computer files or
databases Trying to access or change material
Why Needed? History of ‘hackers’ breaking into computer systems
D of E’s mailbox (Prestel) - hacked into 1986 difficult to prosecute
Labour Party web-site just before 1997 general election
Computer Misuse Act Offences
19
Three types of offence Unauthorised access Unauthorised access with intent to continue Unauthorised modification
Look at each in turn….
Unauthorised access
20
Unauthorised access to computer material Files Webpages Program code Operational schedules Email accounts Databases Financial accounts Personal details Company-confidential material
Unauthorised access with intent
21
Unauthorised access to computer material with intent to commit or facilitate further offences Covers intention to make changes to computer
material Covers intention to make changes to settings
To gain easier access next time To enable edits next time
Unauthorised modification
22
Unauthorised modification of computer material Files Operational schedules Planning schedules Database entries Passwords Program code And so on
Offences Translated1. ‘hacking’
no intention to cause harm is necessary for prosecution
magistrates court, £5000 fine / up-to 6 months sentence
2. theft unauthorised access to computer material in order to
commit theft by re-directing funds to own bank account
trial by jury, unlimited fines / up-to 5 years sentence3. malicious damage
deliberate erasure or corruption of programs or data introduction of viruses and worms modifying or destroying another user's file or system files
trial by jury, unlimited fines/ up-to 5 years sentence
Other possible offences include theft of electricity, false accounting, suppression of
documents, breach of copyright note: confidential information is not property, and so cannot be
the subject matter of theft